General

  • Target

    35b25e8a599fc857bf044d6c44815135d338597237215ae0c33d573557e0e778N

  • Size

    31KB

  • Sample

    241015-3swkfsxdkl

  • MD5

    d81a5a206c0f6da1a9df209699f20790

  • SHA1

    b3a9d3cb284083a8d3987eae5b3b69211009f7c0

  • SHA256

    35b25e8a599fc857bf044d6c44815135d338597237215ae0c33d573557e0e778

  • SHA512

    960893ae3f482b3d868e35cb39e5f8c5e0c9f2a11155b155c0e49e6d708c5edf85f6154a718d083c82a94dd192ab1d128f0859e13d60e70af434dcaf3fe31f9f

  • SSDEEP

    768:NLA5LgJZLrGzxhucORKqnzhvv6DQmIDUu0tiawj:8UKAxRYQVkKj

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Vitima

C2

year-cameroon.gl.at.ply.gg:5050

Mutex

7fb93b0794e661921666b1583b4aab39

Attributes
  • reg_key

    7fb93b0794e661921666b1583b4aab39

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      35b25e8a599fc857bf044d6c44815135d338597237215ae0c33d573557e0e778N

    • Size

      31KB

    • MD5

      d81a5a206c0f6da1a9df209699f20790

    • SHA1

      b3a9d3cb284083a8d3987eae5b3b69211009f7c0

    • SHA256

      35b25e8a599fc857bf044d6c44815135d338597237215ae0c33d573557e0e778

    • SHA512

      960893ae3f482b3d868e35cb39e5f8c5e0c9f2a11155b155c0e49e6d708c5edf85f6154a718d083c82a94dd192ab1d128f0859e13d60e70af434dcaf3fe31f9f

    • SSDEEP

      768:NLA5LgJZLrGzxhucORKqnzhvv6DQmIDUu0tiawj:8UKAxRYQVkKj

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks